Hello Mark, thank You, I know, I just twisted it here. Still, now it works without it but it won't if I have it inserted.
Thank you again for your help and have a great weekend! Matthias Am Fr., 30. Juni 2023 um 18:39 Uhr schrieb Mark H. Wood < mwoodiu...@gmail.com>: > On Fri, Jun 30, 2023 at 01:11:28AM -0700, Matthias Letsch wrote: > > Thank you for your reply. > > > > I have the OIDs delivered by the IDP which are the following: > > > > urn:oid:1.3.6.1.4.1.5923.1.1.1.6 > > urn:oid:2.5.4.42 > > urn:oid:2.5.4.4 > > urn:oid:0.9.2342.19200300.100.1.3 > > urn:oid:2.16.840.1.113730.3.1.241 > > > > So this is what I put into attribute-map.xml: > > > > <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="SHIB-NETID"/> > > <Attribute name="urn:oid:2.5.4.42" id="SHIB-GIVENNAME"/> > > <Attribute name="urn:oid:2.5.4.4" id="SHIB-SURNAME"/> > > <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="SHIB-MAIL"/> > > <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/> > > > > And this is on the other side in > > [dspace-backend]/config/modules/authentication-shibboleth.cfg: > > > > authentication-shibboleth.netid-header = SHIB-NETID > > authentication-shibboleth.email-header = SHIB-MAIL > > (...) > > authentication-shibboleth.firstname-header = SHIB-GIVENNAME > > authentication-shibboleth.lastname-header = SHIB-SURNAME > > > > If I have the attributePrefix="_AJP" in shibboleth2.xml, nothing at all > > arrives at DSpace from the login attempt. (403) > > That should be "AJP_" not "_AJP". See > https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html#env > > > If I delete it, at least there is a 401 "authentication failed" and > > dspace.log throws the error mentioned above. > > > > I added 'allowedRequestAttributesPattern='SHIB-.*' to the AJP connector > in > > tomcat9/conf/server.xml > > > > The inherited result is still the same. To make matters worse, now this > > morning after these minimal changes in the Shib XML files and in > > server.xml, for some reason the following came up when I tried to reload > > the page: > > > > Service Unavailable > > > > The server is temporarily unable to service your request due to > maintenance > > downtime or capacity problems. Please try again later. > > > > Apache/2.4.38 (Debian) Server at ... Port 443 > > > > After resetting to the state before these changes the service runs > normally > > again (still without Shibboleth of course).Is it possible that it is > > somehow due to the module? I don't know exactly, because our DSpace was > > originally installed by an external company, but I guess that at the > moment > > only mod_proxy is used for the communication between Apache and Tomcat. > > > > Kind regards, > > Matthias > > Mark H. Wood schrieb am Donnerstag, 29. Juni 2023 um 15:57:26 UTC+2: > > > > > On Thu, Jun 29, 2023 at 03:10:32AM -0700, Matthias Letsch wrote: > > > > This has at least resulted in the 403 becoming a 401 and DSpace > noticing > > > > something about the login attempt, which I consider positive > progress. > > > > > > > > However, DSpace now complains in the logs that it cannot find the > > > required > > > > attributes: > > > > > > > > 2023-06-29 11:58:35,693 ERROR unknown unknown > > > > org.dspace.authenticate.ShibAuthentication @ Shibboleth > authentication > > > was > > > > not able to find a NetId, Email, or Tomcat Remote user for which to > > > > indentify a user from. > > > > 2023-06-29 11:58:35,707 ERROR unknown unknown > > > > org.dspace.authenticate.ShibAuthentication @ Unable to register new > > > eperson > > > > because we are unable to find an email address along with first and > last > > > > name for the user. > > > > NetId Header: 'SHIB-NETID'='null' (Optional) > > > > Email Header: 'SHIB-MAIL'='null' > > > > First Name Header: 'SHIB-GIVENNAME'='null' > > > > Last Name Header: 'SHIB-SURNAME'='null' > > > > 2023-06-29 11:58:35,709 INFO unknown unknown > > > > org.dspace.app.rest.security.EPersonRestAuthenticationProvider @ > > > > anonymous::failed_login:email=null, result=4 > > > > 2023-06-29 11:58:35,719 ERROR unknown unknown > > > > org.dspace.app.rest.security.StatelessLoginFilter @ Authentication > > > failed > > > > (status:401) > > > > org.springframework.security.authentication.BadCredentialsException: > > > Login > > > > failed > > > > > > > > So I guess I need to modify the attribute-map.xml accordingly to > match > > > the > > > > expected attributes under > > > > [dspace]/config/modules/authentication-shibboleth.cfg. > > > > > > > > The documentation at > > > > > > > > https://wiki.lyrasis.org/display/DSDOC7x/Authentication+Plugins#AuthenticationPlugins-ShibbolethAuthentication > > > > provides a template for attribute-map with the attributes that seem > to > > > > match at first glance. > > > > > > > > But unfortunately that alone does not change anything for us. Do you > > > > possibly know more about this? > > > > > > You need to know the OIDs used by your Shibboleth IDP to label the > > > attributes that you want. These may vary from site to site. > > > attribute-map.xml maps them to names SHIB-NETID and the rest. If you > > > don't give the right OIDs, nothing will be mapped into the request. > > > > > > You also need to know (or set) the request attributes that DSpace > > > expects. That's the other side of the mapping. > > > > > > Here we are using attributePrefix='AJP_' and it works. We do not set > > > ShibUseHeaders. Tomcat will strip the prefix and pass the attributes > > > through in the Request. But Tomcat must be configured to accept more > > > than the default set of attributes: the AJP connector must have > > > 'allowedRequestAttributesPattern='SHIB-.*' to let them through. > > > > > > -- > > > Mark H. Wood > > > Lead Technology Analyst > > > > > > University Library > > > Indiana University - Purdue University Indianapolis > > > 755 W. Michigan Street > > > Indianapolis, IN 46202 > > > 317-274-0749 <(317)%20274-0749> > > > www.ulib.iupui.edu > > > > > > > -- > > All messages to this mailing list should adhere to the Code of Conduct: > https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx > > --- > > You received this message because you are subscribed to the Google > Groups "DSpace Technical Support" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to dspace-tech+unsubscr...@googlegroups.com. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/dspace-tech/58f3c054-6e9f-4366-834c-4f6c89adfd15n%40googlegroups.com > . > > > -- > Mark H. Wood > Lead Technology Analyst > > University Library > Indiana University - Purdue University Indianapolis > 755 W. Michigan Street > Indianapolis, IN 46202 > 317-274-0749 > www.ulib.iupui.edu > > -- > All messages to this mailing list should adhere to the Code of Conduct: > https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx > --- > You received this message because you are subscribed to a topic in the > Google Groups "DSpace Technical Support" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/dspace-tech/jO_-a-9qwtk/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > dspace-tech+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/dspace-tech/ZJ8FIQSJRB---xUu%40IUPUI.Edu > . > -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/CAHSh3VYLK6k8N_bs8zFrjeHRWWVwFzgZ3rFcnP8SjL5WMLHFVg%40mail.gmail.com.
